Build and release next MODEL (aka major) version 15-0-0 of Secure schemas
Purpose
Identify, build and release the next major version of the Secure schemas.
Currently each new field to the report is added as an optional field. At some point, these fields be added as required in the schema if it makes sense to do so. Similarly there are fields that can be deprecated, deprecated fields can be removed, and constraints of certain fields may also change.
Each change should be evaluated for the impact to groupthreat insights and sectionsec analyzers. Changes will be implemented and merged when stakeholders are ready.
How to contribute MRs
See #339812 (comment 847042725)
Proposed schema changes
Acceptance for each group is given by their representative using the following emoji:
Quorum for section-wide consensus is TBD.
| Field | Change | Affects schemas | Impact on groupthreat insights / Rails | Impact on sectionsec / Analyzers | TI | CS | DAST | SCA | SAST |
|---|---|---|---|---|---|---|---|---|---|
scan (done in v15_wip) |
Mark as required
|
all | None, scan is already optionally parsed | Must produce scan object, most do this already |
|||||
scan.analyzer (done in v15_wip) |
Mark as required
|
all | None, analyzer is already optionally parsed | Must produce scan.analyzer object, most don't do this already |
|||||
scan.scanner |
Remove | all | |||||||
scan.scanners[] |
New field | all | Rails will need to parse it if it exists, and save many scanners per scan, not just one. Tracking must be updated to track many scanners. UI must be updated to show a list. | Must replace scan.scanner with scan.scanners[], ensure scan.scanner[] contains information about scanners, not the analyzer |
|||||
vulnerabilities[].cve (done in v15_wip) |
Remove field, remove from required
|
all | TBD | ||||||
vulnerabilities.id (done in v15_wip) |
Mark as required
|
all | None, field is already parsed | Must produce vulnerabilities[].id
|
|||||
vulnerabilities[].scanner (done in v15_wip) |
Remove field, remove from required
|
all | TBD, will need to rely on scan.analyzer
|
Should remove field | |||||
vulnerabilities[].category (done in v15_wip) |
Remove field, remove from required
|
all | TBD, will need to rely on scan.type
|
Should remove field | |||||
vulnerabilities[].discovered_at (done in v15_wip) |
Remove field (see comment) | dast |
None, the field is not parsed | DAST analyzers will need to update the format of the field | |||||
headers[].value in the following places in vulnerabilities[].evidence: request, response, supporting_messages.request, supporting_messages.response (done in v15_wip) |
Remove minLength: 1 constraint as HTTP spec allows empty values |
dast |
TBD | DAST analyzers should remove filtering of headers with empty value | |||||
vulnerabilities[].confidence (done in v15_wip) |
Remove field, remove from required
|
all | TBD | Should remove field | |||||
vulnerabilities[].message (done in v15_wip) |
Remove field, remove from required
|
all | Update references to rely off name in shorted form, truncated description for longer needs |
Should remove field | |||||
vulnerabilities[].name (done in v15_wip) |
Add maxLength constraint |
all | None | None, but should align with Rails field limits | |||||
vulnerabilities[].description (done in v15_wip) |
Add maxLength constraint |
all | None | None, but should align with Rails field limits | |||||
$id (done in v15_wip) |
New field (see comment) | all | None | None | |||||
scan.start_time, scan.end_time (done in v15_wip) |
Update pattern (see comment) |
all | None | None | |||||
dependency.version (done in v15_wip) |
Mark as required
|
dependency_scanning |
None | None | |||||
dependency.package (done in v15_wip) |
Mark as required
|
dependency_scanning |
None | None | |||||
dependency.package.name (done in v15_wip) |
Mark as required
|
dependency_scanning |
None | None |
Edited by Fabien Catteau